Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with email virus


  • This topic is locked This topic is locked
7 replies to this topic

#1 fquinonez

fquinonez

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 24 November 2015 - 06:22 PM

Hello, 

 

my computer has become infected with a virus that affects my email. It sends emails out to random contact saying:

 

"Hello!

 

New message, please read http://______"

 

the url is an infected site and the email includes the name of another of my contacts (although the email used to send it is my email)

 

 

I have tried completely reformating my drive and reinstalling all software and backups, but the problem persists.

 

 

Attached are the FRST logs from my computer. 

 

Hopefully you can help. 

 

Thank you, 

Francisco 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,585 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:56 AM

Posted 26 November 2015 - 08:32 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Nothing suspicious was found on your logs.
This is just a cleanup of unwanted entries.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 mfeavfk01; \Device\mfeavfk01.sys [X]
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\CONTROL DE ALQUILERES:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\DIRECCIONES USA.doc:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\GAMES:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\LISTA.docx:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\McAfee Security Center.lnk:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\Mis deseos para mi funeral:com.dropbox.attributes

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your e-mail address has been spoofed and is being used by someone else.
The only solution I can recommend is that you Get a new e-mail address.
When created sent an email to your contacts and ask them to use that address from now on.

The new e-mail address will be shown in the header of the message.
They should add this new address to their contact list.
DO NOT repeat the Address in the text of your message as this is being broadcasted to everyone on the internet.

For your information.
Email spoofing
https://en.wikipedia.org/wiki/Email_spoofing

#3 fquinonez

fquinonez
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 30 November 2015 - 06:44 PM

Thank you for your response. I will run the cleanup steps you mention above and report back. 

 

In terms of the email spoofing, what concerns me is that the malicious emails are being sent only to my own contacts AND uses the name of one of my contacts as the sender (even though it still uses my email). That means that the person doing the email spoofing also has access to all of my contacts somehow. 

 

To be clear, let's assume I have 4 contacts (Mary, Sue, Joe, and Peter). what will happen is that three of the contacts (Mary, Sue and Joe) will receive the malicious email as though it is being sent by Peter although in sender info it includes Peter's full name and in parenthesis it includes my email. Hence, the spoofer has access to the full names of my contacts AND their email addresses. 

 

Is this a normal problem for when someone has run into email spoofing?? I have seen where someone has used my email address (spoofed) so send messages to random people. I notice this when I receive an auto-reply form someone I do not know regarding an email I did not send. However, this time it is very much my own information :-(

 

thank you again for the help,

 

Francisco  



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,585 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:56 AM

Posted 01 December 2015 - 09:22 AM

Do you get any undelivered messages?

If the spoofer is sending messages to an account that no longer exists then your should get an undelivered message.

Is any one of you contacts receiving undelivered messages?

Spoofers generally don't use one address for very long. Unfortunately there is nothing that can be done to prevent the spoofing.

How long as this been going on?

#5 fquinonez

fquinonez
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 01 December 2015 - 01:27 PM

Hello. 

 

yes, just today I have received 75 undelivered messages and I receive a lot of them each day. 

 

Many times I receive undelivered messages from people to whom I have sent an email BUT the email actually gets to that person.

 

This is why I do believe there is some sort of virus/trojan/etc in my computer :-(



#6 fquinonez

fquinonez
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:56 AM

Posted 01 December 2015 - 01:34 PM

Hello,

 

below please find the text from the fixlog you requested

 

Fix result of Farbar Recovery Scan Tool (x64) Version:01-12-2015
Ran by Ana_Cristina_Sol (2015-12-01 12:30:24) Run:1
Running from C:\Users\Ana_Cristina_Sol\Desktop
Loaded Profiles: Ana_Cristina_Sol (Available Profiles: Ana_Cristina_Sol)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM-x32\...\Run: [] => [X]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 mfeavfk01; \Device\mfeavfk01.sys [X]
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\CONTROL DE ALQUILERES:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\DIRECCIONES USA.doc:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\GAMES:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\LISTA.docx:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\McAfee Security Center.lnk:com.dropbox.attributes
AlternateDataStreams: C:\Users\Ana_Cristina_Sol\Desktop\Mis deseos para mi funeral:com.dropbox.attributes
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
mfeavfk01 => service removed successfully
C:\Users\Ana_Cristina_Sol\Desktop\CONTROL DE ALQUILERES => ":com.dropbox.attributes" ADS removed successfully.
C:\Users\Ana_Cristina_Sol\Desktop\DIRECCIONES USA.doc => ":com.dropbox.attributes" ADS removed successfully.
C:\Users\Ana_Cristina_Sol\Desktop\GAMES => ":com.dropbox.attributes" ADS removed successfully.
C:\Users\Ana_Cristina_Sol\Desktop\LISTA.docx => ":com.dropbox.attributes" ADS removed successfully.
C:\Users\Ana_Cristina_Sol\Desktop\McAfee Security Center.lnk => ":com.dropbox.attributes" ADS removed successfully.
C:\Users\Ana_Cristina_Sol\Desktop\Mis deseos para mi funeral => ":com.dropbox.attributes" ADS removed successfully.
EmptyTemp: => 531.7 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 12:30:40 ====


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,585 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:56 AM

Posted 01 December 2015 - 02:43 PM

No. You e-mail has been spoofed.

There is nothing I can do.
Believe me.

If this does not stop you will have to get a new e-mail address.

Talk to you internet provider.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,585 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:56 AM

Posted 07 December 2015 - 09:48 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users